The CNCF offers a strong backbone of services to open source projects, built around the goal of sustaining most project needs outside of just code management and technical decisions. We offer an enhanced set of services via professional staff that cultivate the maturity and increased adoption of cloud native, open source projects. We take a data driven approach to working with our project and maintainer community; we actively survey to improve our services and community satisfaction on top of featuring services in our community spotlights.
These services are offered as part of community stability, but do not replace developers on the projects themselves and are never meant to be in the critical path of a project release or a full time resource. Our goal in providing these shared services is to cultivate CNCF’s graduating and incubating projects, and offer sandbox projects the space to grow into incubating projects.
CNCF hosts graduated, incubating, and sandbox projects. While we offer a shared set of services for all of our projects, we don’t provide substantial marketing services for sandbox projects as they are meant to be early stage projects that need a lightweight neutral home to grow naturally. Sandbox projects are prioritized lower for project services versus their incubating and graduated project peers.
Finally, this list isn’t meant to be an exhaustive list of services offered by the foundation. There may be things your project needs help with that isn’t listed here and it’s completely OK to reach out to staff via the CNCF ServiceDesk and ask for help.
To improve access to CNCF services, we are implementing a service desk to serve as a single point access for all CNCF services. We’re modeling this on the 3-1-1 service that Mayor Bloomberg rolled out in New York City to provide single point of access to all municipal services. Project maintainers that are used to interacting with CNCF staff members directly by email or Slack are welcome to continue to do so, and it will be that staff member’s responsibility to log the request in the CNCF ServiceDesk.
CNCF’s services fall in the following general categories:
- Foundation
- Design and Aesthetics
- Program Management
- Legal Services
- Tools
- Technical Documentation
- Continuous Integration
- Certification and Services
- End User Community
- Internationalization
- Marketing (event management, marketing services and programs, marketing communications)
- Marketing announcements for projects
We offer CNCF projects and maintainers the following benefits:
A neutral home for an open source project increases the willingness of developers from enterprise software companies, start-ups, and independent developers to collaborate, contribute, and become committers. CNCF’s Technical Oversight Committee is the technical governing body, guided by documented principals, and admits and oversees all projects. Projects accepted into CNCF by the TOC is an independent signal of the quality of your project.
For projects accepted into CNCF, the existing maintainers (or committers) still control the project. We help projects create a well-documented, neutral governance process. Any project that is added to CNCF must have ownership of its trademark and logo assets transferred to the Linux Foundation. For the full list of requirements, see IP Policy.
CNCF offers graphic design resources for all projects, provided primarily by our in-house design team. When new projects enter the foundation, they receive a new logo, website refresh if they wish, or an enhancement of their existing aesthetic. For example, see the CloudEvents or CNCF TAG-Security logo. If there is something creative you desire, please don’t hesitate to reach out!
All project logos and color schemes are readily available via the CNCF artwork github.
CNCF, our parent organization The Linux Foundation, and our sibling projects combined have years of experience in providing program management services for open source projects. We collaborate on best practices which we bring to CNCF hosted projects.
CNCF staff is available to assist and guide your project. Below are some of the activities:
- CNCF will assist with collaborations between maintainers and LF fellows and CNCF sister projects in the LF to support knowledge sharing
- Project governance creation and advice
- Facilitating community meetings with support for online participation
- Administrative support for communication and project processes
- Security audits by independent third parties (e.g., Kubernetes security audit)
- Distributed systems safety research via independent third parties (e.g. https://jepsen.io/)
- Biweekly or monthly check in meetings with CNCF Staff as requested
- Project activity tracking and contribution reporting via https://devstats.cncf.io
Legal services keep a project healthy and in compliance with licensing requirements, intellectual property regimes, and industry norms. Specific legal services include:
- A neutral home for project assets and trademarks.
- Registering trademarks for your projects across geographies as needed
- Support and responses to threatened litigation. For example, we worked with the Kubespray maintainers to change their name back from Kargo after receiving a C&D.
- Contributor License Agreement (CLA) system that integrates with GitHub.
- Developer Certificate of Origin (DCO) system that integrates with GitHub.
- Protect trademarks, such as a Uniform Domain-Name Dispute-Resolution Policy (UDRP) action to take over kubernetes.cn.
- Assistance with open source licensing review and strategy as needed
- Access to legal staff should any legal questions arise.
CNCF Projects may freely select their own tools, produce their own documentation, and build their own websites. CNCF staff can support a project's activities in this area and can provide recommendations and/or access to these tools for your project. We also have special relationships with many vendors that offer enterprise level support.
- Zoom video conferencing Pro accounts for video meetings, recordings, and scheduling
- OpsGenie account for on-call rotations for production services, security disclosure lists, or other needs
- LastPass, 1Password and Keybase to manage to shared secrets
- Netlify for website hosting, DNS management, and improved workflow/automation around documentation and websites
- Discourse for community discussion (e.g., https://discuss.kubernetes.io)
- Slack for communication for all projects in the Cloud Native Computing Foundation Slack
- FOSSA for license and security scanning
- Snyk for container image scanning
- Lift for cloud-native and collaborative code analysis platform built for developers
- HackerOne for bug bounties
- Zapier for task and workflow automation
- Docker Hub for container images storing and managing
- LFX Security for the source code security scanning and license compliance [white-labeled Snyk]
- Credly Custom badges powered by Credly (example Linkerd Hero program)
- Scarf for advanced analytics for container & artifact distribution, package installation, and web traffic to source documentation
- Peritus.ai for Machine Learning analytics and self-service for developer communities
- Curiefense for application layer protection (web/api) - WAF, DDoS, Rate limiting, and more.
CNCF staff is familiar with, and can help projects with, hosting on AWS, GCP, and Azure clouds. In some cases, we have credits available for free hosting. We also have our own Community Infrastructure Lab.
CNCF invests significant capital per year to improve project documentation. This includes the following services:
- Documentation assessments to help projects understand where to make improvements
- Website hosting and setup
- Office hours for face-to-face time with writers
- Technical writers and contractors for specific projects See Documentation services for projects for a full description of what the technical documentation team offers.
Documentation Examples
- Kubernetes (i18n support and case studies)
- Harbor (full redesign)
- gRPC (full redesign and contracted tech writing support)
- Helm (build pipeline overhaul and i18n support)
In the contemporary software landscape, virtually all major projects require heavy investment in continuous integration (CI) systems, which provide those projects with automated testing, dependency checking, security vetting, and so on. CNCF covers CI needs for our hosted projects and allows those projects to select their own platforms; many CI systems are currently in use amongst CNCF projects, including Travis CI, GitHub Actions, GitLab CI, Azure Pipelines, and Prow, the Kubernetes-based (and thus CNCF-sponsored) CI system used for Kubernetes and even some non-CNCF projects. Some projects are perfectly well served with fairly basic CI setups, whereas projects like Kubernetes and Envoy require significant financial and human resources.
CNCF, along with the Linux Foundation, has made a major investment in implementing training, expert certification for Kubernetes developers and administrators, and provider certification programs for Kubernetes as well as training for CNCF projects Prometheus and Fluentd. We have also worked with The Linux Foundation training team to develop self-paced online courses that can scale up a project’s reach beyond what’s possible using instructor-led courses. Over time, we expect to expand the training options to cover other projects. Examples of training we've already developed include:
- Free Introduction to Kubernetes course on edX MOOC
- Certified Kubernetes Administrator (CKA) exam
- CKAD: Kubernetes for Developers
- Monitoring Systems and Services with Prometheus
- Kubernetes and Cloud Native Associate (KCNA)
CNCF’s End User Community includes over 140 top companies and startups that depend on cloud native technologies and are committed to collaborative infrastructure development. The End User Community is an active participant in key technology decisions by CNCF-hosted projects with leadership positions on the TOC and contributions to many CNCF projects.
For the definition of an end user see: https://github.com/cncf/toc/blob/master/FAQ.md#what-is-the-definition-of-an-end-user
CNCF end users are telling their stories to help elevate the technical conversations to business objectives and challenges. CNCF projects are featured in these use cases and the impact cloud native projects are having on their business. You can explore case studies by project, such as Prometheus or Envoy.
CNCF has professional staff located in Asia Pacific to assist projects with their activities in that region. We offer internationalization support including:
- Assistance for projects presenting at meetups and events.
- Simultaneous live translations in both Chinese and English for our flagship KubeCon + CloudNativeCon China.
- Translation services for projects that wish to have blog posts translated into other languages, see Falco as an example.
Marketing services for projects are designed to assist with the awareness of the project, increase project adoption, and increase contributors. CNCF has marketing resources to support the projects in the following areas:
Events are a part of CNCF’s core strategy and they help our project’s build a community with face-to-face interaction and knowledge sharing. KubeCon + CloudNativeCon, our flagship event, brings over 20,000 people together through our three regional events; North America, Europe, and China.
CNCF also runs and supports events targeted specifically for your project, we provide:
- Full event planning and logistical support
- Integrated marketing and communication plan including an event website, communications, and marketing of the event
- Obtaining sponsors for the event
- Media introductions
- Co-location opportunities with other LF events such as Open Source Summit
Some of the CNCF projects that have held their project specific events:
Projects and project maintainers can participate in CNCF events by:
- Creating a track for your project at KubeCon + CloudNativeCon events.
- At KubeCon + CloudNativeCon, host 2 maintainer sessions (an intro and deep dive) for your project.
- Participate in the Meet the Maintainer booths at KubeCon + CloudNativeCon events
- Submissions for call-for-proposals at KubeCon + CloudNativeCon are encouraged to discuss their use of CNCF projects.
- CNCF sponsors many third-party events each year, both in-person and virtual. Often with a booth, we encourage project maintainers to join CNCF in our participation to meet the event attendees and talk about your project. For virtual events, we advocate for presentations by project maintainers.
- CNCF supports numerous Linux Foundation events such as Open Source Summit and Open Networking Summit. We love to have project maintainers join CNCF at these events to educate the broader ecosystem on open source cloud native projects.
- For in-person events, project contributors are welcome to use our booth as a “home base” for meeting colleagues.
- Connect to our worldwide network of CNCF meetup groups and ambassadors to raise awareness of your project.
- Travel funding available for your non-corporate-backed developers and to increase attendance of women and other underrepresented minorities.
- At events, we promote all CNCF projects and help connect users and developers to our projects.
CNCF provides a full portfolio of marketing services and programs to support community and ecosystem engagement for CNCF projects. This includes:
- CNCF Online Programs: Graduated and incubating projects can participate in Online Programs like webinars, videos, and livestream. They can communicate release launch details or provide a project update. The exception is Kubernetes, which holds a webinar approximately 30 days after a release.
- CNCF Blog and Kubernetes.io Blog: Graduated and incubating projects can submit blog posts. Share technical content and how-to’s, stories about cloud native and project deployments, and use cases and success stories. Blog posts should not be vendor pitches. They must contain content that applies broadly to the Kubernetes and cloud native community. The Kubernetes blog receives over 1.5M visits a week.
- Case Studies: End user case studies help elevate the technical conversations to business objectives and challenges. This program features use cases and the impact CNCF project and cloud native technologies are having on end users’ businesses. The case studies build narratives around specific metrics that reflect the positive as a resource for companies considering adopting cloud native technologies.
- Newsletter: The CNCF newsletter is published monthly. Project updates are a regular feature in the newsletter.
- CNCF manages the blog editorial calendar for balanced content shared with the community. We also provide writing, editing, and funding freelancers to develop content.
- Project media velocity reports: Monthly, CNCF pulls press mentions and share of voice data for all projects including mentions in social media and key messaging.
- Fashion a Phippy: Graduated projects can donate a character to the Phippy and Friends program, to help others better understand the concepts of cloud native computing, and increasing the marketing and engagement opportunities for their project.
The goal of marketing communications is to generate awareness for the project and project milestones, community growth, and developer engagement. The communication activities provided by CNCF include:
- Proactive media and analyst coverage for projects including arranging and assisting with interviews and information sessions
- Promote project news and milestones through other channels: journalists, analysts, and news releases/blogs
- Identify top publications/podcasts (Bloomberg, Changelog, eWeek, Fortune, Forbes, InfoWorld, The New Stack, etc.) and develop plans to earn coverage through contributed articles, quotes, interviews, and news pick-up
- Secure analyst briefings for inclusion in reports: Gartner, Forrester, IDC, RedMonk, 451 Research and more
- Organize media/analyst luncheons,1:1 meetings at key events
- Develop thought leadership reports, surveys, success stories, and case studies (print and video)
- Actively manage project social media channels (Twitter, LinkedIn, YouTube, Github, Flickr)
The CNCF marketing team can help create surveys for your project to help ascertain adoption or other interests. A prominent example is our annual Cloud Native Community Surveys. For smaller, more targeted surveys, we can assist. Submit a request via the CNCF Service Desk.
As projects have major or minor releases or move through the maturity levels, CNCF works with the projects on outbound communications. Below are the items we can do with you.
Every project has different needs and staff works with projects based on those needs. Below are the services offered as a project moves through the different graduation levels and the support for graduated and incubating project releases.
Projects moving to Graduation level receive:
- Press release announcement
- Presentation slot at the upcoming KubeCon + CloudNativeCon
- Embargoed pitch of the release and top features to the media. Requests for interviews go to the project team. ( Tweet on announcement day, including social card
Projects at the Incubation level receive:
- Blog post announcement on cncf.io written by CNCF marketing with assistance from the project team.
- Embargoed pitch of the announcement and top features to the media. Requests for interviews go to the project team.
- Tweet on announcement day, including social card
Projects coming in as Sandbox
- An announcement to the TOC mailing list on the day they are included into the Sandbox.
- If the media contacts CNCF regarding the news, CNCF will make an introduction directly to the project.
- Correct terminology: “Cloud Native Sandbox” or “CNCF Sandbox projects”
- CNCF does not provide press outreach, a CNCF or TOC briefing, a blog, or a social card
- Exception: A member may share a blog about any open source project, including a Sandbox project. See the CNCF blog guidelines
- Project webinar, up to a max of 2 per year
- Blog post announcement on cncf.io either written by CNCF PR with assistance by the project, re-posting of project's own blog post, or a blog post written exclusively for cncf.io by the project team
- Embargoed or day-of pitch of the release and top features to the media as relevant. Requests for interviews go to the project team for interviews.
- Tweet on announcement day
- Project webinar, up to a max of 2 per year
- Blog post announcement on cncf.io either written by CNCF PR with assistance by the project, re-posting of project's own blog post, or a blog post written exclusively for cncf.io by the project team
- Embargoed or day-of pitch of the release and top features to the media as relevant. Requests for interviews go to the project team for interviews
- Tweet on announcement day
This list isn't a comprehensive list of all services covered. Projects can, and do, request additional services through CNCF Service Desk and we work to get them help they need.
To contribute your project to CNCF or discuss how CNCF can help your project, email info@cncf.io and read the TOC repo https://github.com/cncf/toc#projects
If you’re a CNCF project committer/maintainer, all you have to do is visit https://servicedesk.cncf.io to request support.
All CNCF maintainers are listed here.
Projects are welcome to use their own tools in CNCF, we are a strong supporter of choice and flexibility. If you're interested in using a new tool and want CNCF to officially support it, please file a ticket and we will see what we can do to help!
Yes, you should receive a response within 48 hours.
CNCF doesn't set a set amount of budget for each project and will work with you best on your needs.
GitHub has also recently improved the ability to do security disclosures and generate CVEs, we recommend projects use this: https://help.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories#cve-identification-numbers - As a backup, you can submit a CVE use the MITRE CVE submission form: https://cve.mitre.org/cve/request_id.html (The CNCF is currently not an CNA).
It is recommend CNCF projects create a security disclosure process to make it easier for adopters to report issues.
There is no one set way, you can look at other CNCF projects for examples: https://github.com/envoyproxy/envoy/blob/main/SECURITY.md https://github.com/etcd-io/etcd/blob/main/security/README.md
Also Google has put together a set of templates that may be useful: https://github.com/google/oss-vulnerability-guide
CNCF doesn't enforce the projects to use any specific tool for sharing credentials, passwords or other confidential information, however we recommend using Keybase or applying for 1Password's free open source plan.
CNCF prefers projects evaluate using our Community Cluster first. We have partnered with the various providers that offer discounted or free services for the CNCF projects. For example, the CNCF projects may use the credits, offered by Amazon Web Services for CNCF for the upstream testing, CI/CD and other purposes. See the Tools sections on this page for more details.
To benefit from one of these offers, please submit the Service Desk ticket with the detailed description of the request, including the purpose, list of the desired services and a rough cost.
Code being run must be 100 percent open source and must not include any sensitive data.
Please note that available computing resources are limited so we may ask you to reduce your usage when there is high demand for the available credits. Specifically, please consider shutting down the unused computing resources, use automation to terminate the bare metal/virtual machines if they are not intended to be used 24/7, use spot instances if applicable etc. Please estimate your budget to use no more that $3000/month in AWS credits. If you expect higher resources usage on the regular basis, please consider using the CNCF Cluster instead.
CNCF expects fair usage of the allocated resources and credits, and reserves the right to terminate any allocated infrastructure resources and revoke the access to them in the case of violation of these rules.
My project is affected by the Docker Hub rate limits policy changes, what can I do?
In 2020, Docker announced the changes to image retention and data pull rates.
CNCF has reached an agreement with Docker that these limits can be eliminated for the CNCF projects - if your project is affected by these changes, please consider applying to the Docker Expanded Support for Open Source Software Projects program via the form.
NOTE: To have you application processed correctly by Docker, please explicitly mention that your project is hosted by CNCF. Also, please note that the approval process may take up to a few weeks.
Each CNCF project can decide on its own how to management github invites and teams, some are small enough and just do it manually, some use automated systems like below:
https://github.com/kubernetes/org https://github.com/cilium/team-manager https://github.com/apps/settings https://github.com/github/safe-settings
The CNCF has a special partnership with GitHub, please file a Service Desk ticket and we can expand the amount of hosted runner minutes. Note, some projects have also expanded their build capacity by using the CNCF Cluster via GHA External Runners
Head to the Service Desk web site and try to login, if you can't find an account, email info@cncf.io and one will be created for you.
The CNCF ServiceDesk policy for Kubernetes community is defined at Kubernetes Steering repo.
Email info@cncf.io and one will be created for you.
If you aren't happy with the service provided by CNCF staff or with a resolution of an issue, you have a couple of options. If it's a technical matter, you can appeal to the TOC https://github.com/cncf/toc and if it's a budget related matter you can appeal to the CNCF Developer Representatives on the GB.
Fuzzing is a technique for dynamically testing applications to find reliability and security bugs. Several CNCF projects use fuzz testing to analyse their code such as Envoy, Fluent-bit, Vitess, Linkerd2-proxy, Prometheus, Kubernetes and more. The integration of fuzzing is often combined with OSS-Fuzz (all of the just-mentioned projects are integrated into OSS-Fuzz), which is a free online service that will run your fuzzer continuously. We highly recommend integrating fuzzing into your project, but the benefits of fuzzing varies from project to project.
Fuzzing works best with projects that have high code complexity, e.g. parsers, decoders, etc. but can be used in many other projects. You can fuzz projects in many languages, including C/C++, Go, Rust, Python and Typescript (not yet supported by OSS-Fuzz), and the type of bug you will find depends on which language your project is written in.
To give an understanding of the success fuzzing has achieved in various projects:
- Envoy has invested significantly in fuzzing and OSS-Fuzz has reported more than 700 bugs as well as 81 security relevant bugs
- Fluent-bit has been fuzzed for slightly more than a year, and OSS-Fuzz has reported more than 100 reliability issues and more than 50 security issues.
For an example where fuzzing was determined to have limited effects consider Cloud custodian. Cloud custodian is a project written in Python and is very horisontal in its architecture in that it does not have deep code complexities. This is an example where fuzzing will have limited results as discussed in detail in a PR on the Cloud Custodian repository. However, Cloud Custodian still benefited from fuzzing finding a bug in the code of Cloud Custodian where fuzzing could be applied, but, in comparison to the other projects mentioned above Cloud Custodian is not integrated into OSS-Fuzz.
The following list indicates some common software properties that means your code is likely to benefit from fuzzing
- High code complexity
- Deep code paths
- Accepts untrusted input
- If a reliability or reliability issue occur then it can have significant consequences for systems
- Is used as a library by other applications
- Projects in memory unsafe languages should have a high prority for being fuzzed (but fuzzing is not exclusive to memory unsafe languages)